My domain got hacked!

[LavenderLounge]

A friend called this morning to tell me my domain, http://www.LavenderLounge.com got hacked. When I checked, sure enough, there was an image of a gnarling dog and this text:

.:[ LegijaOne Ownz you! ]:.
.:[ by FDCR3W ]:.
.:[ H3LLdOgz on the NET! ]:.

I opened my ftp program and found that my "index.html" file had been renamed "xxxindex.html" and there was a new file named "index.php" with that image imbedded.

All I needed to do was delete those weird files and re-load the right file, and it seems to be alright for now.

I called my host, Webair, and they are checking for security leaks.

I am curious to find out the how's and why's. Has this happended to any of you before?

[Lee]

I called my host, Webair

There's your problem right there

Regards,

Lee

[dwaynered]

There's your problem right there

Regards,

Lee

Yup Mark, definitely sounds like your webhost has security problems.

[dwaynered]

Perhaps you should host with us Mark.

www.dotcomhost.com

[dwaynered]

Just talked to one of our IT guys and he said to make sure you update all the software you use to run your site. Older versions are exploitable especially on a site that is dynamic like LavenderLounge.com. There are backdoors that hackers can use to access your root files very easily.

[Chilihost]

Make sure you update all your scripts, there are some very serious hacks out there for old versions of phpbb, autogallery, mambo and lots of other common scripts. What scripts were you running?

If you had no scripts running then its a problem with your webhost. Are you on a shared or dedicated server?

cheers,
Luke

[LavenderLounge]

Webair said the same thing about outdated scripts.

My blog is done with Moveable Type, but otherwise the site is just done in very basic html. I wouldn't know php from pcp, they both make me dizzy.

It's a dedicated server, btw.

I used to have a little script on that page from Sex Money that did a redirect from foreign language users. Could that be it?

[LavenderLounge]

Lee,

I am surprized at your comment about Webair. I signed up with them on YOUR recommendation!

[arrival77]

A friend called this morning to tell me my domain, http://www.LavenderLounge.com got hacked.

I don't know if this helps but you're running Apache 1.3.29, when the latest version is actually 1.3.35. There have been a number of security updates since 29.

Apache is in of itself generally very secure, so I would certainly look at some of the other scripts running on your page as well as suggested above.

[Chilihost]

it may have been your movable type (I am not sure if they have had any security issues in the past) but if you are not running any other scripts, it could just as likely be your webhost has not updated Apache, PHP, MySQL, kernel, openSSL, SSH, etc...

I am assuming they do up2date runs for you? and kernel upgrades? and control panel updates? and have secured your server with stuff like mod_security, making tmp nonexecutable, installing and running anti-rootkit tools, installing a firewall, etc?

[DEVELISH]

Lee,

I am surprized at your comment about Webair. I signed up with them on YOUR recommendation!

Hi Mark,

I believe Lee wanted to point out that the problem is the hoster in general.


:develish:

[Chilihost]

Mark, check with your host to see if they can either give you copies of recent logs or if they have been able to track down exactly how they hacked into your site. There is almost always traces of how the hackers got in, its just a matter of finding them. That will help you get things fixed and secured.

[desslock]

Mark:

Change your passwords.

One of those front page replacement robots successfully hacked me once years ago on texascooking.com. I remember that when I first saw my front page I just freaked out..... but like you, the robot did some minor renaming and nothing was erased en masse. I think they just hacked my FTP password. I recall you on here earlier mentioning that your own LL account/pass was posted on that rip-off website that propogates stolen passwords.

Perhaps that pass now out in public and also happens to be your FTP or FrontPage or whatever account that you use to update the site.

About a year ago, I woke up in abject fear of my sites getting hacked. So I set it up so that my webservers root and admin access passwords are not the same passwords that i use to loginto my affiliate programs, like ccBill or DHDmedia. Nor are they associated with my MS Outlook email passwords, which potentially might get snatched by a virus.

We all have lots of usernames and passwords nowadays, especially those of us doing business with online companies. What if an insane imminently-to-be-fired employee stole some company data with affiliaites, and went out phishing for websites they could compromise?

As another paranoid precaution - i took my domain name accounts with the two domain name hosts I use, and I made those even different passwords with letter/number combos. And then (most importantly) I wrote this ALL down in a notebook that I always know where it is, and won't throw away.

Imagine someone hacking your internic domain names and switching the DNS records for your websites. What a nightmare scenario!

Glad your problem turned out to be relatively minor.

Steve

[gaybucks_chip]

I would personally be VERY concerned. Depending on whether the hacker was just a low-level script kiddie or someone actually competent, you could have backdoors, rootkits, or God knows what else.

Make sure that whomever is checking out your server at your ISP is really well versed in examining a server for security breaches, and not some $8/hr guy who is more interested in what's for lunch than your server issue.

In our case, when we had a security breach sometime back, I had a friend of mine who does IT security and intrusion detection work check out the server AFTER the ISP had looked at it... and he found evidence of a rootkit on the server, complete with full backdoor access giving the hacker root access to the box.

We rebuilt the box from scratch, and restored from an earlier backup. If you're storing any critical information (credit card numbers, etc), that's the ONLY safe way to go.

[Chilihost]

Desslock, i totally forgot to mention to change all passwords asap!

Chip, you are absolutely correct. After being hacked the best way to know you are on a secure server again is to rebuild it from scratch.